|
|
Initiation responsibility: Agency/company management
Implementation responsibility: Head of IT Section, Administrator
Commissioning a WWW server
In order to set up a WWW server, in addition to appropriate hardware it is also necessary to procure corresponding software. A large number of products are available for this purpose. When the products are selected, apart from stability particular importance must be attached to the security mechanisms (for notes on procurement and installation see also Chapter 9.1 Standard software).
Adapting the organisational structure
Consideration must be given to what information is to be made available on the Internet or in an intranet. It is also necessary to clarify how and where documents are compiled, who produces which documents, which documents are used where, and who requires these documents. Guidelines on presenting a uniform identity for documents, file names and directory names should then be drawn up on the basis of these findings, and if possible standardised development tools should be specified.
Nominating responsible personnel
During operation of a WWW server, whether internally or externally, it should not be possible for every user to load files at will. One responsible member of staff should therefore be nominated for loading information, and this person should also check new files to ensure that they conform to the guidelines. Depending on the size of the organisation, other staff members can also be given subsidiary responsibility for individual organisational units or specific areas of the WWW server. The assignment of rights and the directory structure on the WWW server must also be specified in accordance with the chosen organisational structure. In particular, every person responsible for a subsection should have access only to those subdirectories which they are managing.
In order to ensure that the files and directories that are created always meet the respective guidelines, observance of the guidelines should be checked automatically, for example using appropriate scripts or macros. A prepared program should be made available to everyone, and should be invoked every time a change is made. Particular attention should be paid to checking the following points:
A file detailing the changes that have been made should also be generated directly.
Restrictions on accessing the WWW server
Before a WWW server is commissioned and every time before it is updated, it must be established who is permitted to retrieve information from the WWW server. It must be clarified whether only staff within the company's or agency's own organisation, plus teleworkers, are allowed to access the provided information, or also any external user or only a restricted circle of users. These restrictions may also vary according to the type of information on offer in each case.
If access to the WWW server is to be made possible for a limited group of people only, measures to ensure this must be implemented, as described in S 4.94 Protection of WWW files, for example.
It is also necessary to clarify whether it is fundamentally possible only to retrieve information or whether users should also be able to load new information themselves. In this case, too, it must be established which group of people has which rights.
Clear structuring
As HTML files do not have to be arranged hierarchically, the directory structure with a WWW server is of no relevance to its mode of operation. To facilitate maintenance, however, care should be taken to ensure that the structure is clear.
It may be the case that links to your documents will be created on other WWW servers; changes to document names or directory names should therefore be avoided. Consequently the directory structure must be planned with expansion in mind.
Making documents available
Once the organisational hurdles have been overcome, work can begin on making information available on the network. An Internet WWW server is a form of presenting the organisation to the outside world, so the Internet presence should be prepared with commensurate care.
It is advisable to gain experience with an intranet WWW server first, before connecting a WWW server to the Internet. It is best to start with a small number of simple applications.
Information can be made available in the form of HTML files or can be integrated into HTML files, such that the information can be read directly when accessed with a browser. Alternatively it can also be made available as files ready for downloading, in any other required format. In this case the files first have to be stored on the user's IT system before they can be viewed or used for any purpose.
All HTML documents and WWW files intended for publication on the Internet should be subjected to quality control and have their content approved before publication in exactly the same way as any other published document.
HTML documents can be produced with special-purpose HTML editors, or documents produced in other formats can be converted to HTML with HTML converters.
If it is intended to make a large number of documents available which often change, it is advisable to link the WWW server to a document database. This approach gives users the means to search for and view documents quickly, and to perform document administration. It can also be useful if a database link allows users access to previously available corporate data.
Before new files are loaded onto a WWW server, they must be checked to determine whether they still contain any residual information (see S 4.64 Verification of data before transmission / elimination of residual information).
Configuration management
Experience shows that the contents of WWW pages frequently change, so it is important to have set up a properly functioning configuration management procedure. Links and references must be checked to ensure that they are up to date, and a virus check must be performed with an up-to-date computer virus scanning program before the pages are published.
It is equally important that all publications should pass through a specified and retraceable checking procedure. This should include quality control of the contents but also formal approval of the document. It is also necessary to examine whether the information is suitable for publication at all, or whether it is confidential, for example, or is subject to data privacy protection rules or is copyright-protected or restricted in some similar way.
Information that has been released for publication via electronic media should be digitally signed in order to give all readers the possibility of checking the authenticity of the information.
Publications which do not reflect the opinions of the organisation must be identified as such.
| © Copyright
by Bundesamt für Sicherheit in der Informationstechnik |
July 1999 |